← Library
kqlElastic-2.0from elastic/detection-rules

Potential LSASS Memory Dump via PssCaptureSnapShot

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1003T1003.001
Rule sourcerules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
event.category:process and host.os.type:windows and event.code:10 and
 winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or
                                 "c:\\Windows\\system32\\lsass.exe" or
                                 "c:\\Windows\\System32\\lsass.exe")